<?
/* SECURITY (don't touch) */
defined('_INCL')||(header('HTTP/1.1 403 Forbidden')&die('403.14 - Access denied.'));
/**************************/


//----------------------------------------
/* Standardize $_SERVER-array for different kinds of requests, from different clients */
	if( empty($_SERVER['HTTP_REFERER']) ){
		$_SERVER['HTTP_REFERER'] = '';//basename($_SERVER['PHP_SELF']);//Default
	}
	if( !empty($_GET['X_Referer']) ){//Custom field, for Ajax & CURL in FireFox
		$_SERVER['HTTP_REFERER'] = $_GET['X_Referer']; unset($_GET['X_Referer']);
	}
	if( !empty($_SERVER['HTTP_X_REFERER']) ){//Custom field, for Ajax & CURL in FireFox
		$_SERVER['HTTP_REFERER'] = $_SERVER['HTTP_X_REFERER']; unset($_SERVER['HTTP_X_REFERER']);
	}

	if( !empty($_SERVER['HTTP_REMOTE_ADDR']) ){
		$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_REMOTE_ADDR'];
	} else {
		$_SERVER['REMOTE_ADDR'] = (!empty($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : 'No.IP.avail.able';
	}
	$_SERVER['REMOTE_ADDR'] = preg_replace("/:+/",".",$_SERVER['REMOTE_ADDR']);//Allow for IPv6

	$_SERVER['HTTP_USER_AGENT'] = (!empty($_SERVER['HTTP_USER_AGENT'])) ? substr($_SERVER['HTTP_USER_AGENT'],0,255) : 'Empty';
	$_SERVER['HTTP_ACCEPT_LANGUAGE'] = (!empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])) ? substr($_SERVER['HTTP_ACCEPT_LANGUAGE'],0,60) : 'Empty';
	$_SERVER['HTTP_ACCEPT_ENCODING'] = (!empty($_SERVER['HTTP_ACCEPT_ENCODING'])) ? substr($_SERVER['HTTP_ACCEPT_ENCODING'],0,60) : 'Empty';
	$_SERVER['HTTP_ACCEPT_CHARSET'] = (!empty($_SERVER['HTTP_ACCEPT_CHARSET'])) ? substr($_SERVER['HTTP_ACCEPT_CHARSET'],0,20) : 'utf-8';
	$_SERVER['HTTP_ACCEPT'] = (!empty($_SERVER['HTTP_ACCEPT'])) ? substr($_SERVER['HTTP_ACCEPT'],0,255) : '*/*';
	$_SERVER['HTTP_DNT'] = (!empty($_SERVER['HTTP_DNT'])) ? substr($_SERVER['HTTP_DNT'],0,5) : 'Empty';
/* END Standardize */



//----------------------------------------
/* Define URLs and Paths */
	$URLprotocol = (stripos($_SERVER['SERVER_PROTOCOL'],'https') === true) ? 'https://' : 'http://';
	$RootPath = $_SERVER['DOCUMENT_ROOT'].DIRECTORY_SEPARATOR.$_ENV['URLs']['MainDir'];
	$_ENV['URLs'] = array(
		'Domaine'=>$_ENV['URLs']['Domaine'],
		'MainDir'=>$_ENV['URLs']['MainDir'],
		'RootPath'=>$RootPath,
		'SessPath'=>$RootPath.'_Core/Session/_SessDB'.hash('adler32',_CRYPT1).DIRECTORY_SEPARATOR,
		'LogPath'=>$RootPath.'_Core/Session/_LOGfiles'.hash('crc32b',_CRYPT2).DIRECTORY_SEPARATOR,
		'RootUrl'=>$URLprotocol.$_SERVER['HTTP_HOST'].'/'.current(explode('/',$_SERVER['PHP_SELF'])).$_ENV['URLs']['MainDir'],
		'CurrDir'=>substr( str_replace($_ENV['URLs']['MainDir'],'',(dirname($_SERVER['PHP_SELF'])).'/'),1 ),
		'CurrFile'=>basename($_SERVER['PHP_SELF']),
		'CallFile'=>str_replace($_ENV['URLs']['MainDir'],'',current(explode('?',basename($_SERVER['HTTP_REFERER'])))),
	); unset($URLprotocol,$RootPath);
/* END definitions */

//echo '<pre>URLs:<br/>'; print_r($_ENV['URLs']); echo '</pre>'; die();//DEBUG

if( !is_dir($_ENV['URLs']['LogPath']) ){ mkdir($_ENV['URLs']['LogPath']); }



//----------------------------------------
/* Obfuscation / Defuscation */
	if( isset($_COOKIE) ){
		define('_ObfuscateToken',hash('adler32',implode('',array_keys($_COOKIE))));
	} else {
		define('_ObfuscateToken',hash('adler32',$_ENV['URLs']['LogPath']));
	}

	$_ENV['UniversalJS'] = /* Obfuscate JavaScript */
	"function Obfuscate(a){a=a.join('&');b='';
		for(i=0;i<a.length;i++){
			c=ZeroPad(a.charCodeAt(i),6);
			b+=c.substr(3,3).split('').reverse().join('')+c.substr(0,3).split('').reverse().join('');
		}return'"._ObfuscateToken."='+b;
	}";

	function Defuscate($InputString){//Returns array with same structure as InputArray had, before JS-obfuscation.
		$Output = str_split($InputString,6);
		foreach($Output as $index => &$Code){
			$Code = strrev(substr($Code,3,3)).strrev(substr($Code,0,3));
			$Code = html_entity_decode('&#'.$Code.';',ENT_NOQUOTES,'UTF-8');
		}
		$Output = explode('&',implode('',$Output));
		foreach( $Output as $i => $v ){
			$v = explode('=',$v);
			$Output[$v[0]] = $v[1];
			unset($Output[$i]);
		}
		return $Output;
	}

	if(isset($_POST[_ObfuscateToken])){
		$_POST = Defuscate($_POST[_ObfuscateToken]);
		//echo '<pre>POST Defuscated: <br/>'; print_r($_POST); echo '</pre>'; die('');//DEBUG
	}
	if(isset($_GET[_ObfuscateToken])){
		$_GET = Defuscate($_GET[_ObfuscateToken]);
		//echo '<pre>GET Defuscated: <br/>'; print_r($_GET); echo '</pre>'; die('');//DEBUG
	}



//----------------------------------------
/* Input-filter ... see: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet */
	$Blacklist = array(//Every encoding-variant (just lowercase needed) of the character '<', longest first
		'&#x000003c',
		'&#x00003c',
		'&#0000060',
		'&#x0003c',
		'&#000060',
		'&#00060',
		'&#x003c',
		'&#0060',
		'&#x03c',
		'&#060',
		'&#x3c',
		'u003c',
		'&#60',
		'&lt',
		'%3c',
		'x3c',
		'<'
	); $Replace = '＜';// ‹ ⊂ ⋖ 〈 ◁ ❮ ⟨ ⦉ ⦑ ⦓ ⦣ ⧼ ⩤ ⩹ ⪡ ⫷ 〱 ㄑ ﴾ ＜ 𐅻 ک

	$_SERVER['HTTP_REFERER'] = str_ireplace($Blacklist,$Replace,preg_replace('/( )+/u',' ',trim(substr($_SERVER['HTTP_REFERER'],0,255))));
	$_SERVER['HTTP_USER_AGENT'] = str_ireplace($Blacklist,$Replace,preg_replace('/( )+/u',' ',trim($_SERVER['HTTP_USER_AGENT'])));
	$_SERVER['HTTP_ACCEPT_LANGUAGE'] = str_ireplace($Blacklist,$Replace,preg_replace('/( )+/u',' ',trim($_SERVER['HTTP_ACCEPT_LANGUAGE'])));
	$_SERVER['HTTP_ACCEPT_ENCODING'] = str_ireplace($Blacklist,$Replace,preg_replace('/( )+/u',' ',trim($_SERVER['HTTP_ACCEPT_ENCODING'])));
	$_SERVER['HTTP_ACCEPT'] = str_ireplace($Blacklist,$Replace,preg_replace('/( )+/u',' ',trim($_SERVER['HTTP_ACCEPT'])));

	if( !empty($_GET) ){
		foreach($_GET as $K => $V){
			unset($_GET[$K]);
			$K = substr($K,0,40);//Max 40 characters as variable-name?
			$K = preg_replace('/( )+/u',' ',trim($K));//Sanitize whitespace
			$K = str_ireplace($Blacklist,$Replace,$K);
			$V = substr($V,0,128);//Max 128 characters as variable-content?
			$V = preg_replace('/( )+/u',' ',trim($V));//Sanitize whitespace
			$V = str_ireplace($Blacklist,$Replace,$V);
			$_GET[$K] = $V;
		}
	}
	if( !empty($_POST) ){
		foreach($_POST as $K => $V){
			unset($_POST[$K]);
			$K = substr($K,0,40);//Max 40 characters as variable-name?
			$K = preg_replace('/( )+/u',' ',trim($K));//Sanitize whitespace
			$K = str_ireplace($Blacklist,$Replace,$K);
			$V = substr($V,0,9999);//Max 9999 characters as variable-content?
			$V = preg_replace('/( )+/u',' ',trim($V));//Sanitize whitespace
			$V = str_ireplace($Blacklist,$Replace,$V);
			$_POST[$K] = $V;
		}
	}
	if( !empty($_COOKIE) ){
		foreach($_COOKIE as $K => &$V){//Change by reference
			//Probably not wise to sanitize cookie-names
			$V = substr($V,0,64);//Max 64 characters as cookie-content?
			$V = preg_replace('/( )+/u',' ',trim($V));//Sanitize whitespace
			$V = str_ireplace($Blacklist,$Replace,$V);
		}
	}
	unset($BlackList,$Replace);//cleanup

	$_REQUEST = array_merge($_COOKIE,$_GET,$_POST);//Rebuild _REQUEST, so we can trust it later
/* END Filter */

?>
